(19) 



J 



Europaisches Patentamt 
European Patent Office 
Office europeen des brevets 



(12) 



(43) Date of publication: 

17.12.1997 Bulletin 1997/51 

(21) Application number: 97304133.8 

(22) Date of filing: 12.06.1997 



(n) EP 0 813 327 A2 

EUROPEAN PATENT APPLICATION 

(51) mtct A H04L 29/06 



(84) Designated Contracting States: 


(72) 


Inventor: Yoshimoto, Masahiko 


AT BE CH DE DK ES Ft FR GB GR IE IT LI LU MC 




Ohta-ku, Tokyo (JP) 


NL PT SE 




Designated Extension States: 


(74) 


Representative: 


AL LT LV RO SI 




Berestord, Keith Denis Lewis et al 






BERESFORD & Co. 


(30) Priority: 14.06.1996 JP 154118/96 




2-5 Warwick Court 






High Holborn 


(71) Applicant: CANON KABUSHIKI KA1SHA 




London WC1R5DJ (GB) 


Tokyo (JP) 





(54) Access control system and method 

(57) When a server receives a service request from 
a client, identifiers of a terminal and of a user are ac- 
quired from the service request and authority with re- 



spect to the service request is uniquely decided from the 
terminal and user identifiers acquired. It is then deter- 
mined, using the authority decided, whether or not to 
accept the service request. 
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Description 

This invention relates to an access control system 
and method, particular access control of a distributed 
system in which the resources of remote sites are 
shared using a computer network, by way ol example. 

Access control in a distributed system generally is 
achieved by combining an authentication mechanism in 
the distributed system with a resource protection mech- 
anism at each site. For example, a distributed file sys- 
tem, which is a means ol sharing files via a network, is 
used in a comparatively small-scale network environ- 
ment such as a local area network (LAM). In such case 
user authentication means at the site level is appropri- 
ated in the network environment as well by unifying 
modes ol user management, and resource protection is 
achieved based upon the authdnty granted to authenti- 
cated users. The file access control means for imple- 
menting this generally is provided by the operating sys- 
tem (OS). 

In a comparatively large-scale network such as a 
wide-area network (WAN), on the other hand, use is 
made of authentication by an authentication system be- 
cause unifying modes of user management is difficult. 
In a large-scale network environment, opportunities to 
share resources per se are fewer than in a small-scale 
network. However, in terms of providing the mechanism 
eventually used as the resource protection mechanism, 
the situation is the same as in the case of the small-scale 
network environment. 

However, the following problems arise in the art de- 
scribed above: 

The first problem is that satisfactory reliability can- 
not be assured merely by applying the site-level user 
authentication mechanism to a distributed system. Even 
if modes of user management are unified between sites, 
no legal force is involved and a certain site is capable 
of individually altering some of the management infor- 
mation. In cases such as these, it is possible for a site 
administrator to impersonate a user and it is difficult for 
the resource provider to detect this. 

The second problem is that in a scenario in which 
the resource protection mechanism provided by the op- 
erating system (OS) is applied to distributed resources, 
ordinarily this is effective only at the site at which the 
resource protection mechanism is operating. Conse- 
quently, if there is an externally applied request for op- 
eration of a resource, the request must be dealt with 
based upon the rightful authority given to the site. How- 
ever, as long as users once authenticated possess the 
same authority, it is not possible to cope with a situation 
in which reliability or level of authorization differ depend- 
ing upon the site, even for the same user 

Accordingly, an object of the present invention is to 
provide an access control system and method in which, 
when shared resources in a distributed system are ac- 
cessed, the shared resources can be protected safely 
and flexibly. 



According to one aspect ol the present invention, 
the foregoing object is attained by providing an access 
control system for controlling access to a distributed 
system in which resources of remote sites are shared 
5 using a computer network, comprising acquisition 
means for acquiring an identifier of a terminal which re- 
quests a service and an identifier of a user, decision 
means tor uniquely deciding authority over the service 
request based upon the terminal identifier and user 
io identifier that have been acquired, and judging means 
for judging, using the authority that has been decided, 
whether or not to accept the service request. 

In another aspect of the invention, the loregoing ob- 
ject is attained by providing an access control system 
is for controlling access to a distributed system in which 
resources of remote sites are shared using a computer 
network, comprising relay means for acquiring an iden- 
tifier ol a user requesting a service, intercepting the 
service request by transmitting, to a prescribed address, 
20 a service request message onto which the acquired user 
identifier has been added, and distributing a received 
message, and service providing means for acquiring as 
a user identifier an identifier added onto the received 
service request message, acquiring as a terminal iden- 
2S tifier an identifier of the relay means that transmitted this 
service request message, uniquely deciding authority 
over the service request based upon the terminal iden- 
tifier and user identifier that have been acquired, and 
judging, using the authority that has been decided, 
30 whether or not to accept the service request. 

According to the present invention, the foregoing 
object is attained by providing an access control method 
lor controlling access to a distributed system in which 
resources ol remote sites are shared using a computer 
3S network, comprising an acquisition step of acquiring an 
identifier of a terminal which requests a service and an 
identifier of a user, a decision step of uniquely deciding 
authority over the service request based upon the ter- 
minal identifier and user identifier that have been ac- 
io quired, and a judging step of judging, using the authority 
that has been decided, whether or not to accept the 
service request. 

In another aspect of the invention, the foregoing ob- 
ject is attained by providing an access control method 
•*$ tor controlling access to a distributed system in which 
resources ol remote sites are shared using a computer 
network, comprising, in relay means for intercepting a 
service request and distributing a received message, a 
first acquisition step ol acquiring an identifier of a user 
so requesting a service and a transmission step of trans- 
mitting, to service providing means, a service request 
message to which the acquired user identifier has been 
added on, and, in the service providing means, a receiv- 
ing step of receiving a service request message, a 6ec- 
ss ond acquisition step of acquiring as a user identifier the 
identifier added onto the received service request mes- 
sage, and acquiring as a terminal identifier an identifier 
of the relay means that transmitted this service request 
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message, a decision step of uniquely deciding authority 
over the service request based upon the terminal iden- 
tifier and user identifier that have been acquired, and a 
judging step of judging, using the authority that has been 
decided, whether or not to accept the service request. 

In accordance with the present invention having the 
configuration described above, it is possible to provide 
an access control system and method in which, when 
shared resources in a distributed system are accessed, 
the shared resources can be protected safely and flex- 
ibly 

Embodiments of the present invention will now be 
described with reference to the accompanying draw- 
ings in which: 

Hg 1 is a diagram illustrating an example of the 
configuration of a network environment according 
tD nn embodiment of the present invention; 
Fig 2 is a flowchart showing an example of a pro- 
cedure through which a server processes a service 
icquust from a client; 

Fig 3 is a flowchart showing an example of a pro- 
c cdjre through which a server processes a connec- 
l on request from a client; 

Fig 4 is a flowchart showing an example of a pro- 
cocJjrc through which a relay server processes a 
service request from a client; 
Fiq 5 is a flowchart showing an example of a pro- 
mri iro through which a relay server processes a 
r omoclion request from a client; 
F ici 6 is a diagram showing a first example of a stor- 
age medium storing program codes according to 
i'ic picsent invention; and 
F kj 7 is a diagram showing a second example of a 
tiOMpc medium storing program codes according 
t j trie present invention. 

An access control system according to embodi- 
ment o' me present invention will be described in detail 
wdtt icicicnce to the drawings. 

The embodiments described below relate to a dis- 
t touted system having a plurality of users, particularly 
h disn ibutcd system in which the authorities ol individual 
users hic managed uniformly even in a distributed en- 
vnon-ncni in which the modes of user management dif- 
Ici Irom one site to another. 

|Fiibt Embodiment] 

Fiq 1 is a diagram illustrating an example of the 
conliquiriiion of a network environment according to an 
embodiment of the present invention. 

As shown in Fig. 1 , a group of terminals, described 
later aro connected to a network terminal 101 to con- 
struct ri computer network. The computer network de- 
scribed ncre includes an Ethernet, a LAN using an FD- 
Dl ri WAN constructed by interconnecting networks by 
a public telephone line or teased line. etc. 



A server terminal 102 is a computer system such 
as a work station or personal computer run by an appli- 
cation provided in a distributed system. Client terminals 
103. 105. 106 are computer systems, which are simitar 

5 to the server terminal 102. run by applications utilizing 
resources in the distributed system. An authentication 
server terminal 104 is a computer system, which is sim- 
ilar to the server terminal 102, run by an authentication 
server which provides an authentication mechanism in 

to the network environment. The authentication server ter- 
minal 104 is provided by a Kerberos system, by way of 
example. 

These computer systems are assigned their own 
identifiers, which are acquired by communication be- 

is tween any of the terminals. Further, the above-men- 
tioned server application, client applications and au- 
thentication server are items of software stored on an 
external storage medium such as a floppy disk, a hard 
disk, a magneto-optic drive (MO), a CD-ROM, a CD-R 

20 or a magnetic tape, or in any non-volatile semiconductor 
memory device such as a ROM or flash memory. When 
necessary the particular software is read in the memory 
possessed by the terminal and is then executed by a 
CPU with which the same terminal is provided. It is un- 

2S necessary to assign a dedicated terminal to the appli- 
cation software executed, and servers, clients, etc. may 
operate a certain terminal simultaneously. Further, the 
term "server* or 'client* is a generic term that relates to 
the role of the application concerning a prescribed serv- 

30 ice and does not necessarily have a fixed meaning in 
terms of an application In actuality, a certain application 
may be a server with regard to a certain service or a 
client with regard to a different service. 

Fig. 2 is a flowchart showing an example of a pro- 

3$ cedure through which a server processes a request from 
a client. The flowchart has a first step S201 , at which a 
terminal identifier is acquired from a service request 
sent from a client. The user identifier is then acquired 
from the service request at step S202, Here the process- 

-*o ing for acquiring the user identifier employs authentica- 
tion means supplied by the authentication server. How- 
ever, an arrangement may be adopted in which the iden- 
tifier is acquired using means supplied in dependence 
upon the network environment, e.g. identity inquiry 

-*s means in conformity with RFC1413 m the TCP/IP 
(Transmission Control/Internet Protocol) network envi- 
ronment. 

Next, at step S203, the corresponding authority of 
the server terminal is decided based upon the terminal 
so identifier and user identifier acquired. II the requested 
service is to gain access to resources (e.g. files, devic- 
es, etc.) protected by the OS the authority of the server 
terminal is an authority defined by the OS. If the request- 
ed service is a resource (e.g. shared data in a database 
ss management system) protected by the server, then the 
— authority of the server terminal is an authority defined 
independently by the server 

This is followed by step S204, at which it is deter- 
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mined whether the authority regarding the service re- 
quest is valid (whether the service request is within the 
limits ol authority). If the authority is valid, then the serv- 
ice request is processed at step S205. Ol course, it the 
authority regarding the service request is invalid (the 
service request is outside the limits of authority), then 
the service request is not processed. 

The details of processing at steps S203 and S204 
will now be described. 

If a subset of a quotient lattice decided by a certain 
equivalence relation is taken in a direct_product lattice 
of a set lattice corresponding to respective ones ol the 
terminal identifiers and user identifiers, an ordered rela- 
tion in the quotient lattice will hold in this subset. A set 
M comprising ail maximal elements is decided in relation 
to the ordered relation. On the other hand, take an ele- 
ment r of quotient lattices corresponding to the terminal 
identifier and user identifier obtained at steps S201 and 
S202. When there is one for which m^r holds, where m 
is the element of M, the authority with regard to the re- 
quest is taken as being valid. 

In other words, it is assumed that the above-men- 
tioned equivalence relation, the set of maximal elements 
and a unique corresponding relationship from the max- 
imal elements to the authority of the server terminal 
have been obtained in advance with regard to each 
service. Then, at step S203, a equivalence class with 
regard to the terminal identifier and user identifier is de- 
cided. It is then determined at step S204 whether there 
is an ordered relation between this equivalence class 
and a series of maximal elements. 

Since all sets in the foregoing are equivalence sets, 
they are expressed by well-known means, such as a bit 
string. The equivalence relation, on the other hand, is 
means for converting the bit string to another, shorter bit 
string in accordance with rules given by declaration or 
procedurally. 

Abnormalities due to a variety of faults can occur at 
steps S201 and S202. In such case the element of the 
quotient lattice corresponding to the least upper bound 
of the direct product lattice relating to the terminal iden- 
tifier is substituted as the equivalence class at step 5203 
in response to an abnormality at step S201 . The element 
ol the quotient lattice corresponding to the least upper 
bound of the direct product lattice relating to the user 
identifier is substituted in response to an abnormality at 
step 5202. The least upper bound of the quotient lattice 
is substituted in response to abnormalities at both steps 
S201 and S202. 

By way of example, in a case where a service pro- 
vided to a user group composed of prescribed users is 
restricted at a terminal connected to a prescribed net- 
work, the following is given as an equivalence relation: 
"whether or not the terminal is included in a sublattice 
of a direct product lattice decided by a set of identifiers 
of terminals connected to a specified network and a set 
of identifiers of users belonging to a specified user 
group". In other words, the pair "whether or not the ter- 



minal is connected to a specified network* and "whether 
or not the terminal belongs to a specified user group" is 
given as the equivalence relation. 

As a result, the set of terminal identifiers and the set 

s of user identifiers are each split into two subiattices that 
do not overlap each other, whereupon there is obtained 
a quotient lattice of a direct product set comprising 16 
elements. This quotient lattice clearly is isomorphic to 
the direct product lattice of the quotient lattice relating 

io to respective ones of the terminal identifier and user 
identifier. Accordingly, only one equivalence class cor- 
responding to all pairs of terminal identifiers and user 
identifiers which will accept a service request is decided 
in the above-mentioned quotient lattice. This equiva- 

is lence class is made to correspond to the authority over 
a service by deciding a set of maximal elements in which 
this equivalence class is adopted as one element. By 
virtue of the foregoing operation, the equivalence rela- 
tion and the set of maximal elements regarding a serv- 

20 ice. as well as the corresponding relationship to the au- 
thority, are specified. In this setting, the pair ol terminal 
identifiers and user identifiers obtained from the service 
request of the client corresponds to some equivalence 
class o1 the quotient lattice. However, acceptance of the 

25 request is limited to a case corresponding to an equiv- 
alence class employed as a maximal element. 

More specifically, in accordance with this embodi- 
ment, since an equivalence relation in a set naturally 
corresponds to an equivalence relation in a set lattice. 

30 performing grouping with regard to terminals or users is 
nothing more than shrinking a large set lattice of ele- 
ments to a small quotient lattice. As a result, a quotient 
lattice possessing universality with respect to all quo- 
tient lattices used by a server exists, and any quotient 

35 lattice becomes a quotient lattice obtained by deciding 
a separate equivalence relation with respect to the quo- 
tient lattice possessing universality. The maximal ele- 
ments decided by the above-mentioned example in 
which there is a limitation upon services provided to a 

-to specified user group at a terminal connected to a spec- 
ified network correspond to a sublattice of the universal 
quotient lattice. Accordingly, this is equivalent to effects 
obtained in a case where, instead of making the setting 
in the above-mentioned example, use is made of an 

4£ equivalence relation which determines a quotient lattice 
having universality and a set of maximal elements com- 
prising the least upper bounds of the sublattice ol the 
quotient lattice. 

Thus, in accordance with this embodiment, objects 

so which determine whether authority is given or not can 
be aggregated in arbitrary units. This makes it possible 
to establish access control in highly flexible fashion. 

Furthermore, in accordance with embodiments do- 
scribed below, it will be illustrated that the present in- 

ss vention is effective also in regard to supporting a distrib- 
uted environment in which user management modes 
are different More specifically, if all pairs of terminal 
identifiers and user identifiers regarding one and the 
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same user are regarded as being one equivalent, and il 
this is performed with respect to all users, then one 
equivalence relation will be obtained. The element of the 
quotient lattice obtained by this equivalence relation is 
decided, with regard to individual users, without relation 
to differences in the user management modes. Accord- 
ingly, the set of maximal elements may be decided re- 
garding the quotient lattice as being a universal quotient 
lattice, and a simpler quotient lattice may be decided us- 
ing a separate equivalence relation. Further, in order to 
inhibit illegitimate access from a terminal having poor 
security, it is also possible to adopt an arrangement in 
which the equivalence class regarding one and the 
same user is divided into two parts in conformity with 
the level of security, and weak authority is given to the 
equivalence class having the lower level. 

[Second Embodiment] 

An access control system according to a second 
embodiment of the present invention will now be de- 
scribed. In the second embodiment, elements substan- 
tially the same as those of the first embodiment are des- 
ignated by like reference characters and need not be 
described again. 

The procedure shown in Fig. 2 makes it possible, 
even for one and the same user, to arbitrarily set the 
level of authority in dependence upon the terminal uti- 
lized by this user However, the above-mentioned pro- 
cedure is such that authentication processing regarding 
a user is executed with regard to all service requests, 
and problems in terms of efficiency arise in a case where 
a service request is issued repeatedly. Accordingly, in 
the second embodiment, from the standpoint that it will 
suffice to assure security below a so-called transport 
level, authentication processing is executed when the 
connection of a transport level is set. 

Fig. 3 is a flowchart showing an example of 
aprocesstng procedure executed when establishing the 
connection of a transport level. 

At steps S301 through S303, a terminal identifier 
and a user identifier are acquired from a connection re- 
quest and the corresponding authority in terms of the 
server terminal is decided. This is simitar to the process- 
ing of steps S201 and S203 shown in Fig. 2. It is deter- 
mined at step S304 whether the decided authority is val- 
id at the server. If the authority is valid, then the connec- 
tion request is accepted at step S305. Of course, if the 
authority that has been decided is not valid at the server, 
then the connection request is not accepted. 

The processing procedure tor a service request in 
a case where a connection request is processed in ac- 
cordance with the procedure shown in Fig. 3 is modified 
to exclude the steps from $20 1 to S203 from the proce- 
dure of Fig. 2 and. in their place, retrieve the authority 
decided at step S303 from the service request. This 
modification of the procedure is easy to perform. Spe- 
cifically, it will suffice to record a pair consisting of a con- 



nection identifier and the authority and retrieve the au- 
thority from the connection identifier at step S305 when 
the service request is processed It should be noted that 
the pair consisting of the connection identifier and the 
5 authority is destroyed autonomously at the server when 
the connection is broken. 

The processing of steps S303 and S304 is similar 
to the processing of steps S203 and S204 shown in Fig. 
2. However, rather than using settings relating to serv- 
10 ices, use is made of settings relating to a connection, 
namely an equivalence relation, a set of maximal ele- 
ments and a unique corresponding relationship from the 
maximal elements to the authority of the server terminal. 
As for the settings relating to a connection and the set- 
is tings relating to a series of services, usually whatever 
satisfies the criteria in the former is selected so as to 
satisfy the criteria in the latter, although in general the 
two may be independent of each other. 

20 [Third Embodiment) 

An access control system according to a third em- 
bodiment of the present invention will now be described. 
In the third embodiment, elements substantially the 
2S same as those of the first embodiment are designated 
by like reference characters and need not be described 
again. 

In a distributed system of a certain type, a certain 
type of server (referred to below as a "relay server") is 

30 provided Specifically, service requests issued by a plu- 
rality of clients simultaneously at client stations are sent 
to a server collectively by the relay server and messages 
sent from a server are distributed to the clients by the 
relay server. Such a configuration is very effective in a 

35 case where replicas of shared resources are held at the 
client terminals and in a case where messages from the 
server are sent to a series ol clients in the manner of a 
broadcast. In a configuration of this kind, it is possible 
to simplify the procedure shown in Fig, 2 or Fig. 3, as 

*o will be described below. 

First, processing for confirming authority is per- 
formed between a server and a relay server in accord- 
ance with the procedure shown in Fig. 2 or Fig. 3. The 
reason lor this is that a service which a server provides 
directly to a relay server differs from that provided to a 
client; the relay server provides a mechanism tor inter- 
cepting a request from the client Accordingly, steps 
S203 and S204 shown in Fig 2 are executed based up- 
on setting relating to the service. Step S205, rather than 

£0 being a step lor processing a service request, is a step 
for processing a service intercept request. It should be 
noted that the service intercept request processing per 
sc is executed in accordance with the procedure from 
step S203 onward in the first embodiment using a user 

ss identifier and terminal identifier of the relay server ob- 
tained through the procedure described below. - 

Fig 4 is a flowchart illustrating an example of a pro- 
cedure, which corresponds to Fig. 2. which a relay serv- 
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er executes with respect to each client in a distributed 
system of the kind set forth above 

The flowchart has a first step S401 . at which a user 
identifier is acquired from a service request. Since a re- 
lay server and a client are operating one and the same 
terminal, the processing for acquiring the user identifier 
is capable of being executed securely and efficiently 
without using an authentication server or the like. 

Next, in a case where various settings relating to a 
series of services have been provided by a server, au- 
thority is decided at step S402 and the validity thereof 
with respect to the service request is discriminated at 
step S403. Steps S402 and S403 are for suppressing 
needless relaying of service requests. Though it is pre- 
ferred that this actually be carried out, it is possible for 
this to be omitted. 

Finally, service-request intercept processing is ex- 
ecuted at step S404. This processing involves transfer- 
ring, to the server, a message obtained by adding the 
user identifier acquired at step S401 onto the request 
message of the client. The user identifier added on is 
nothing more than a user identifier necessary in service- 
request intercept processing at the relay server. 

Fig. 5 is a flowchart illustrating an example of a pro- 
cedure, which corresponds to Fig. 3, which a relay serv- 
er executes with respect to each client. 

Step S501 in Fig. 5 is for acquiring a user identifier 
from a connection request in the same manner as at 
step S401 in Fig. 4. 

Next, in a case where various settings relating to a 
connection request have been provided by a server, au- 
thority is decided at step S502 and the validity of the 
decided authority is discriminated at step S503. Steps 
S502 and S503 are for suppressing needless relaying 
of connection requests. Though it is preferred that this 
actually be carried out, it is possible for this to be omit- 
ted. 

Finally, at step S504, the connection request is ac- 
cepted and the pair consisting of the connection identi- 
fier and user identifier received is recorded. 

Thereafter, the relay server subjects the accepted 
connection to processing for-intercepting a-service re- 
quest from a client. This intercept processing involves 
transferring, to the server, a message obtained by add- 
ing the user identifier recorded at step S504 onto the 
request message of the client. It should be noted that 
the pair consisting of the recorded connection identifier 
and user identifier is destroyed autonomously at the re- 
lay server when the connection is broken. 

[Fourth Embodiment) 

An access control system according to a fourth em- 
bodiment of the present invenlion will now be described. 
In the fourth embodiment, elements substantially the 
~same~as those ol the first embodiment are designated 
by like reference characters and need not be described 
again. 



In the third embodiment, authentication of tne relay 
server by a third party such as an authentication server 
may be omitted in a case where the security of the ter- 
minal being operated by the relay server is assured and 

5 the relay server is a privileged process in the OS at this 
terminal. For example, in a TCP/IP network environ- 
ment, privilege is necessary in an address setting based 
upon a port number of No. 1 023 or less, depending upon 
the OS of the terminal. 

10 in accordance with this embodiment, the relay serv- 
er performs the address setting based upon a privileged 
port number, and the server verifies whether this ad- 
dress is one that has been set by the relay server, there- 
by making possible identity inquiry of the relay server 

is without relying upon third-party authentication means. 
Here simple verification means will suffice, such as 
means tor performing regression transfer of any bit pat- 
tern selected randomly by communication using the 
above-mentioned privileged port. The reason for this is 

20 that as long as the security or the terminal is assured, 
an unlawful privileged process which sends back the bit 
pattern cannot exist. Of course, such means are haz- 
ardous in a WAN environment because the reliability of 
intervening signal paths cannot in general be assured 

25 but they are practical in many LAN environments used 
in offices or the like. 

[Other Embodiments] 

30 The present invention can be applied to a system 
constituted by a plurality of devices (e.g., a host com- 
puter, interface, reader, printer, etc.) or to an apparatus 
comprising a single device (e.g., a copier or facsimile 
machine, etc.). 

3$ Further, it goes without saying that the object of the 
present invention can also be achieved by providing a 
storage medium storing program codes for performing 
the aloresaid functions of the foregoing embodiments to 
a system or an apparatus, reading the program codes 
jo with a computer (e.g., a CPU or MPU) of the system or 
apparatus from the storage medium, and then executing 
the program. In this case, the program codes read from 
the storage medium implement the functions according 
to the embodiments, and the storage medium storing 
*s the program codes constitutes the invention. Further, 
the storage medium, such as a floppy disk, hard disk, 
optical disk, magneto-optical disk, CO-ROM, CD-R, 
magnetic tape, non-volatile type memory card or ROM 
can be used to provide the program codes. 
50 Furthermore, besides the case where the aforesaid 
functions according to the embodiments are implement- 
ed by executing the program codes read by a computer, 
it goes without saying that the present invention covers 
a case where an operating system (OS) or the like work- 
55 ing on the computer performs a part of or the entire proc- 
ess in accordance with the designation of program 
codes and implements the functions according to the 
embodiment. 
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Furthermore, it goes without saying that the present 
invention further covers a case where, after the program 
codes read from the storage medium are written to a 
function extension board inserted into the computer or 
to a memory provided in a function extension unit con- 
nected to the computer, a CPU or the like contained in 
the function extension board or function extension unit 
performs a part of or the entire process in accordance 
with the designation of program codes and implements 
the function of the above embodiments. 

In a case where the present invention is applied to 
the above-mentioned storage medium, program codes 
corresponding to the flowchart described earlier are 
stored on this storage medium. More specifically, mod- 
ules illustrated in the example of the memory map of 
Fig. 6 or Fig. 7 are stored on the storage medium. 

Specifically, it will suffice to store program codes of 
at least modules of 'identifier acquisition*, 'authority de- 
cision" and "validity judgment" on the storage medium 
or to store program codes of least modules ol "identifier 
acquisition A", "identifier add-on* and "transmission" for 
relay means and program codes of at least "reception*, 
"identifier acquisition B", "authority decision" and "valid- 
ity judgment' for service providing means 

As many apparently widely different embodiments 
of the present invention can be made without departing 
from the scope thereof, it is to be understood that the 
invention is not limited to the specific embodiments 
thereof except as defined tn the appended claims. 

Claims 

1. An access control method for controlling access to 
a distributed system in which resources of remote 
sites are shared using a computer network, com- 
prising: 

an acquisition step (S201, S202, S301. S302, 
$401, S501) of acquiring an identifier of a ter- 
minal which requests a service and an identifier 
of a user, 

a decision step (S203, S303. S402, S502) of 
uniquely deciding authority over the service re- 
quest based upon the terminal identifier and us- 
er identifier that have been acquired; and 
judging step (S204, S304, S403, S503) of judg- 
ing, using the authority that has been decided, 
whether or not to accept the service request. 

2. The method according to claim 1 , wherein said ac- 
quisition step acquires the terminal identifier and 
the user identifier for every service request mes- 
sage. 

— 3.— The method according to claim 1 , wherein said ac- 
quisition step acquires the terminal identifier and 
the user identifier when a connection is requested. 



4. An access control method tor controlling access to 
a distributed system in which resources ol remote 
sites are shared using a computer network, com- 
prising: 

5 

in relay means for intercepting a service re- 
quest and distributing a received message, a 
first acquisition step (S201. S301. S401, S501) 
of acquiring an identifier ot a user requesting a 
io service and a transmission step (S201. S301 . 

S401, S501) of transmitting, to service provid- 
ing means, a service request message onto 
which the acquired user identifier has been 
added; and 

is in said service providing means, a receiving 

step (S202, S302) ot receiving a service re- 
quest message, a second acquisition step of 
acquiring as a user identifier the identifier add- 
ed onto the received service request message. 

20 and acquiring as a terminal identifier an identi- 

fier of the relay means that transmitted this 
service request message, a decision step 
(S203, S303, 5402, 5502) of uniquely deciding 
authority over the service request based upon 

25 the terminal identifier and user identifier that 

have been acquired, and a judging step (S204, 
5304, S403. S503) of judging, using the author- 
ity that has been decided, whether or not to ac- 
cept the service request 

30 

5. The method according to claim 4. wherein said first 
acquisition step acquires the user identifier tor eve- 
ry service request message. 

3S 6. The method according to claim 4, wherein said first 
acquisition step acquires the user identifier when a 
connection is requested. 

7. The method according to claim 4, wherein said sec- 
•*o ond acquisition step acquires the terminal identifier 

of said relay means for every service-intercept re- 
quest message received from said relay means. 

8. The method according to claim 4, wherein said sec- 
*« ond acquisition step acquires the terminal identifier 

ol said relay means when a connection is requested 
by said relay means. 

9. The method according to claim 4, wherein in a case 
so where a service -intercept request is made using 

privileged resources at a terminal at which said in- 
tercept means operates, said service providing 
means accepts this service -intercept request. 

ss 10. An access control system for controlling access to 
- a distributed system in which resources of remote 
sites are shared using a computer network, com- 
prising: 
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acquisition means for acquiring an identifier of 
a terminal which requests a service and an 
identifier of a user; 

decision means for uniquely deciding authority 
over the service request based upon the termi- 5 
nal identifier and user identifier that have been 
acquired: and 

judging means for judging, using the authority 
that has been decided, whether or not to accept 
the service request. 10 

11. An access control system for controlling access to 
a distributed system in which resources of remote 
sites are shared using a computer network, com- 
prising: '5 

relay means for acquiring an identifier ol a user 
requesting a service, intercepting the service 
request by transmitting, to a prescribed ad- 
dress, a service request message onto which 20 
the acquired user identifier has been added, 
and distributing a received message; and 
service providing means for acquiring as a user 
identifier an identifier added onto the received 
service request message, acquiring as a termi- 2B 
nal identifier an identifier of said relay means 
that transmitted this service request message, 
uniquely deciding authority over the service re- 
quest based upon the terminal identifier and us- 
er identifier that have been acquired, and judg- 30 
mg, using the authority that has been decided, 
whether or not to accept the service request. 

12. A computer readable memory storing program 
codes relating to access control of a distributed sys- 3$ 
tern in which resources of remote sites are shared 
using a computer network, comprising: 

a program code of an acquisition step of acquir- 
ing an identifier of a terminal which requests a *o 
service and an identifier of a user 
a program code of a decision step of uniquely 
deciding authority over the service request 
based upon the terminal identifier and user 
identifier that have been acquired; and 45 
program code of a judging step of judging, us- 
ing the authority that has been decided, wheth- 
er or not to accept the 'service request. 

13. A computer readable memory storing program so 
codes relating to access control of a distributed sys- 
tem in which resources of remote sites are shared 
using a computer network, comprising: 

for relay means which intercepts a service re- s$ 
— quest and distributes -a received-message, a 
program code of a first acquisition step of ac- 
quiring an identifier ol a user requesting a serv- 



ice and a program code of a transmission step 
of transmitting, to service providing means, a 
service request message onto which the ac- 
quired user identifier has been added: and 
for service providing means, a program code of 
a receiving step of receiving a service request 
message, a program code of a second acqui- 
sition step of acquiring as a user identifier the 
identifier added onto the received service re- 
quest message, and acquiring as a terminal 
identifier an identifier of the relay means that 
transmitted this service request message, a 
program code of a decision step of uniquely de- 
ciding authority over the service request based 
upon the terminal identifier and user identifier 
that have been acquired, and a program code 
ol a judging step ol judging, using the authority 
that has been decided, whether or not to accept 
the service request. 



BNSOCCIO: <EP 0613327A2_I_> 



8 



EP 0 813 327 A2 



FIG. 1 



102 



SERVER 






j 
i 




CLIENT 



104 

AUTHENTICATION 
SERVER 



7 
105 



CLIENT 
106 



CLIENT 
103 



BNSOOCIO: <EP 08 13327 A2_l_> 



9 



EP 0 81 3 327 A2 



FIG. 2 



S201 



S202 



S203 



START 
(PROCESSING OF 
SERVICE REQUEST) 



I 



ACQUIRE TERMINAL IDENTIFIER 
FROM SERVICE REQUEST 



I 



ACQUIRE USER IDENTIFIER 
FROM SERVICE REQUEST 



DECIDE CORRESPONDING AUTHORITY 
OF SERVER TERMINAL 



S205- 




BNSOOCia <EP 0813327 A2_1_> 



10 



EP 0 813 327 A2 



FIG. 3 



S301- 



START 
(PROCESSING OF 
CONNECTION REQUEST) 



ACQUIRE TERMINAL IDENTIFIER 
FROM CONNECTION REQUEST 



S302- 



ACQUIRE USER IDENTIFIER 
FROM CONNECTION REQUEST 




11 



BNSDOCID: <EP 0813327 A2_l_> 



EP 0 813 327 A2 



FIG. 4 



S401 



S402 



START 
(PROCESSING OF 
SERVICE REQUEST) 







ACQUIRE USER IDENTIFIER 
FROM SERVICE REQUEST 






DECIDE CORRESPONDING AUTHORITY 
OF SERVER TERMINAL 



S403 



IS 



AUTHORITY WITH REGARD 
TO SERVICE REQUEST 
VALID ? 



YES 



S404 — 



EXECUTE SERVICE-REQUEST 
INTERCEPT PROCESSING 



c 



END 



J 



12 



BNSDOCIO: <£P 0613327A2J_> 



EP 0 813 327 A2 



FIG. 5 



S501 



START 
(PROCESSING OF 
CONNECTION REQUEST) 



I 



ACQUIRE USER IDENTIFIER 
FROM CONNECTION REQUEST 




EP 0 813 327 A2 

FIG. 6 

DIRECTORY INFORMATION 



SERVICE-REQUEST RECEPTION MODULE 
IDENTIFIER ACQUISITION MODULE 

AUTHORITY DECISION MODULE 

SERVICE-REQUEST VALIDITY JUDGMENT MODULE 

SERVICE-REQUEST PROCESSING MODULE 



FIG. 7 

DIRECTORY INFORMATION 



IDENTIFIER ACQUISITION MODULE 
IDENTIFIER ADD-ON MODULE 
SERVICE-REQUEST TRANSMISSION MODULE 
RECEIVED-MESSAGE DISTRIBUTION MODULE 



SERVICE-REQUEST RECEPTION MODULE 
IDENTIFIER ACQUISITION MODULE 

AUTHORITY DECISION MODULE 

SERVICE-REQUEST VALIDITY JUDGMENT MODULE 
SERVICE-REQUEST PROCESSING MODULE 



BNSDOCIO. <EP oei3327A2_1_> 



14 



(19) 



3 



Europaisches Patentamt 
European Patent Office 
Office europeen des brevets 



(12) 



(88) Date of publication A3: 

09.053001 Bulletin 2001/19 

(43) Date of publication A2: 

17.12.1997 Bulletin 1997/51 

(21) Application number: 97304133.8 

(22) Date of filing: 12.06.1997 



(ID EP 0 813 327 A3 

EUROPEAN PATENT APPLICATION 

(51) IntCI/: H04L 29/06 



(84) Designated Contracting States: 


(72) Inventor: Yoshimoto, Masahiko 


AT BE CH DE DK ES Fl FR GB GR IE IT LI LU MC 


Ohta-ku, Tokyo (JP) 


NL PT SE 




Designated Extension States: 


(74) Representative: 


AL LT LV RO SI 


Beresford, Keith Denis Lewis et al 




BERESFORD & Co. 


(30) Pnority: 14.06.1996 JP 15411896 


High Holborn 


2-5 Warwick Court 


(71) Applicant: CANON KABUSHIKI KAISHA 


London WC1R5DJ (GB) 


Tokyo (JP) 





(54) Access control system and method 

(57) When a server (102) receives a service request 
liom * client (105.106,103), identifiers of a terminal 
( S20 1 » «nd of a user (S202) are acquired from the serv- 
ice u Quost and authority with respect to the service re- 



quest is uniquely decided (S203) from the terminal and 
user identifiers acquired. It is then determined (S304), 
using the authority decided, whether or not to accept the 
service request. 



FIG. 2 



START 
(PROCESSING OF 
SERVICE REQUEST) 



CO 

< 

I s * 
CM 
CO 

CO 

T— 

CO 

o 

CL 
111 



S201~ 



S202'— 



$203 — 



ACQUIRE TERMINAL IDENTIFIER 
FROM SERVICE REQUEST 



ACQUIRE USER IDEHT1FCR 
FROM SERVICE REQUEST 



DECIDE COflRESPOW>ING AUTHORITY 
OF SERVER TERMINAL 



S205* 




Pnmcd &y Jouvc. 75001 PARIS (FR) 



BNSOOC!D:<EP 0813JJ7A* l > 



EP 0 813 327 A3 



European Patent 
Office 



EUROPEAN SEARCH REPORT 



Apoticstion Numb* 

EP 97 30 4133 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category 



Citation of document wrtn indication, where appropriate, 
oi relevant oassaoes 



Reievan: 
to claim 



CLASSIFICATION OF THE 
APPLICATION UnlCL6) 



US 4 672 572 A (ALSBERG PETER) 

9 June 1987 (1987-06-09) 

* column 1, line 11 - line 17 * 

* column 1, line 36 - line 50 * 

* column 5, line 51 - line 57 * 

* column 7, line 31 - line 43 * 

* column 9, line 35 - line 42 * 



EP 0 604 911 A (NIPPON TELEGRAPH & 
TELEPHONE) 6 July 1994 (1994-07-06) 

* column 2, line 3 - line 56 * 

US 4 916 738 A (CHANDRA AKHILESHWARI N ET 
AL) 10 April 1990 (1990-04-10) 

* column 2. line 59 - column 3, line 54 * 

* column 18, line 60 - line 65 * 

US„4_891„838 A (FA6ER LAWRENCE M) 
2 January 1990 (1990-01-02) 

* column 2, line 67 - column 3, line 4 + 

* column 4, line 17 - line 52 * 

TANENBAUM A S: "THE AMOEBA DISTRIBUTED 
OPERATING SYSTEM A STATUS REPORT" 
COMPUTER COMMUNICATIONS .NL, ELSEVIER 
SCIENCE PUBLISHERS BV, AMSTERDAM, 
vol. 14, no. 6, page 324-335 XP000219165 
ISSN: 0140-3664 

* the whole document * 

* page 328, right-hand column * 

US 5 261 070 A (0HTA JUNICHI) 
9 November 1993 (1993-11-09) 

* column 4, line 7 - line 14 

* column 5, line 60 - column 6, line 5 * 

-/-- 



1.10.12 



2.3 



The present search report nas been drawn up tor all claims 



H04L29/06 



1,10,12 



1,10,12 



TECHNICAL FIELDS 
SEARCHED (lnt.CL6) 



H04L 
G06F 



Puce oi toatei 

THE HAGUE 



DM* oi comcwttcn erf Pi* m«c 

12 March 2001 



Brichau, G 



CATEGORY OF CITLD DOCUMENTS 

X f»artcuUrty retevttnl ti isketi atone 

Y : parlcuterty itnevan) it cbrrtorteo with another 

ducumt»i4 ul itw camo category 
A . lechnotoocal background 
G non-wrrticn ttsdnsurt 
P : miefmeda* document 



T ■ theory rw pmc^t* tiiwi^rtyng the nvernon 
E namer patent nocumem. out putMtsnea cn. or 

alter the itbng daw 
O ' document cieo m the appfccation 
L ' dnoumwu caed tor other reasons 

& member o4 the unw uattrM latraty. ODfresponawg 
document 



6NSOOCID- <EP 06 13327 A3 J_> 



2 



I 



i 



EP 0 813 327 A3 



European Patent 
Office 



EP 97 30 4133 



Application Number 



CLAIMS INCURRING FEES 



The present European patent application comprised at the time of tiling more than ten claims. 

□ Only pan ot the claims have been paid within the presented time limit. The present European search 
report has been drawn up for the first ten ciaims and lor those claims tor which claims tees have 
been paid, namely ciaim(s): 



□ No claims lees have been paid within the prescribed time limit. The present European search report has 
been drawn up tor the first ten ctaims. 



The Search Division considers that the present European patent application does not compty with the 
requirements of unity of invention and relates io several inventions or groups ot inventions, namely. 



see sheet B 



□ At) further search tees have been paid wrrnm me fixed time limn. The present European search report hat 
been drawn up tor all claims. 

□ As alt searchable claims could be searched without etton justifying an additional tee. the Search Division 
did not invite payment ol any additional tee. 



□ Only pan of the further search lees have been paid within the fixed time limit. The present European 
search report has been crawn up for those pans of the European patent application which relate to the 
inventions in respect ot which search tees nave been paid, namely claims: 



□ None of the lurther search tees nave been paid within the fixed time limit. The present European search 
report has been drawn up tor those pans ot the European patent application which relate to Ihe invention 
first mentioned in the claims, namely claims: 



LACK OF UNITY OF INVENTION 



3 



BNSOOCID: <EP 0ei3327A3_l_> 



EP 0 813 327 A3 



European Patent 
Office 



EUROPEAN SEARCH REPORT 



Application Number 

EP 97 30 4133 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category 



Citation ot document wtth indication, where appropriate. 
of relevant passages 



Relevant 
to ctaim 



CLASSIFICATION OF THE 
APP1XATION (OTLCU; 



US 5 754 939 A (MARCUS MITCHELL P ET AL) 
19 May 1998 (1998-05-19) 

* column 5. line 52 - line 61 * 

* column 31, line 23 - column 33, line 60 
* 

* column 36, line 1 - column 38, line 4 * 



4.11,13 



US 5 343 529 A (MONTGOMERY ROBERT A 
AL) 30 August 1994 (1994-08-30) 

* column 2. line 8 - line 45 * 

* claims 1,13 * 



ET 



4.11,13 



The present search report has been drawn up for an claims 



Flue at scaicn 

THE HAGUE 



TECHNICAL FIELDS 
SEARCHED <W.CU) 



12 March 2001 



Brichau, G 



CATEGORY OF CITED DOCUMENTS 

X : partcutorty relevant u taken atone 

V partcutartv relevant it comutned with another 

aocumeni ot me same category 
A . tecnrtotogcai background 
C . rtui-wroien disclosurt: 
P * mtMmediatn nocumeni 



I : theory or pmcofc underlying m* awwiui 
b . earner paieni document, but pubtenvd on. or 

after tr* (Any (kite 
D document died n thu apnbeaim 
L : dc current caea m omer reasons 

& mwnoer ot tht tame patent larrwry. umiwpundtfig 
oocumeni 



4 



BNSDOCID: <EP. 08t332?A. ( I 



EP 0 813 327 A3 




European Patent 
Otlice 



LACK OF UNITY OF INVENTION 
SHEET B 



EP 97 30 4133 



AppbeMiert Numbtt 



The Search Division considers that the present European patent application does not comply witn the 
requirements oi unity ot invention and relates to several inventions or groups ot inventions, namely: 

1. Claims: 1,2,3.10,12 

An access control method and system for controlling access 
to a distributed system comprising an acquisition step of a 
terminal and a user identifier, a decision step on authority 
based on these two identifiers and a judging step, using the 
decided authority, whether or not to accept the service 
request. 



2. Claims: 4-9,11.13 

An access control method and system for controlling access 
to a distributed system comprising 1n relay means a first 
acquisition step of a user identifier and a transmission 
step of a service request message with the acquired user 
identifier added to a service providing means. 
In the service providing means : 

- a receiving step of the service request message 

- a second acquisition step of the user Identifier added 
onto the message 

- the acquisition of a terminal identifier identifying the 
relay means 

- authority decision step based upon terminal and user 
identifiers 

- a judging step using the decided authority whether or not 
to accept the service request 



5 



BNSDOCID: <EP 06 13327 A3. 1. > 



EP 0 813 327 A3 



ANNEX TO THE EUROPEAN SEARCH REPORT 

ON EUROPEAN PATENT APPLICATION NO. EP 97 30 4133 



This annev bsts the patent (amity memr>ers relating to the patent documents cited in me above-men toned European search rexn 
The members are as contained tn me European Patent Office EDP tile on 

The European Patent Office is in no way liable tor these particulars whicn are merely given for the purpose ot information. 

12-03-2001 



Patent Document 




Pubb-aoon 




Patent tamiiy 


Publication 


cited in search report 




date 




memoerisj 


date 


US 4672572 


A 


09-06-1987 


NONE 






EP 0604911 


A 


06-07-1994 


JP 


3054 7R7 R 


17 Uu tUUU 








JP 


6204945 A 


22-07-1994 








JP 


6202864 A 


22-07-1994 








US 


5390252 A 


14-02-1995 


US 4916733 


A 


10-04-1990 


EP 




0268141 A 




25-05-1988 








JP 


1817265 C 


18-01-1994 








JP 


5024696 B 


08-04-1993 








JP 


63125030 A 


28-05-1988 


US 4891838 
— — — 


A 


02-01-1990 




NONE 







US 5261070 


A 


09-11-1993 


CA 


1286417 A 


16-07-1991 


I 
1 






UL 


17 si a an a a 


22-04-1993 








DE 


3784804 T 


24-06-1993 








FP 

Lr 


UiDHDDD A 


27-01-1988 








JP 


1765627 C 


11-06-1993 








JP 


4053464 B 


26-08-1992 








JP 


63146535 A 


18-06-1988 


US 5754939 


A 


19-05-1998 


US 


575825? A 


26-05-1998 








AU 


703247 B 


25-03-1999 








AU 


4410396 A 


19-06-1996 








CA 


2207868 A 


06-06-1996 








EP 


0796538 A 


24-09-1997 








US 


6020883 A 


01-02-2000 








WO 


9617467 A 


06-06-1996 








US 


5734720 A 


31-03-1998 








US 


5754938 A 


19-05-1998 








US 


5835087 A 


10-11-1998 








us 


6088722 A 


11-07-2000 








us 


6029195 A 


22-02-2000 


US 5343529 


A 


30-08-1994 


NONE 









w For more details about this annex : see Official Journal ol me European Patent Office. Mo. 12/82 



6 



